This series imports code from the edk2-platforms project related to disabling the TPM2 platform hierarchy in Ovmf and ArmVirtPkg. It addresses the Ovmf aspects of the following bugs:
https://bugzilla.tianocore.org/show_bug.cgi?id=3510 https://bugzilla.tianocore.org/show_bug.cgi?id=3499 I have patched the .dsc files and successfully test-built with most of them. Some I could not build because they failed for other reasons unrelated to this series. I tested the changes with QEMU on x86 following the build of ArmVirtQemu.dsc and OvmfPkgX64.dsc. The disablement of the platform hierarchy is done after possibly handling PPI. Following TPM 2 logs on Arm, only PCR extensions are following afterwards until GRUB takes over. Neither one of the following commands should work anymore on first try: With IBM tss2 tools: tsshierarchychangeauth -hi p -pwdn newpass With Intel tss2 tools: tpm2_changeauth -c platform newpass Regards, Stefan v5: - Modified patch 1 copies the code from edk2-platforms - Modified patch 2 fixes bugs in the code - Modified patch 4 introduces required PCD v4: - Fixed and simplified code imported from edk2-platforms v3: - Referencing Null implementation on Bhyve and Xen platforms - Add support in ArmVirtPkg Stefan Berger (8): SecurityPkg/TPM: Import PeiDxeTpmPlatformHierarchyLib.c from edk2-platforms SecurityPkg/TPM: Fix bugs in imported PeiDxeTpmPlatformHierarchyLib SecurityPkg/TPM: Add a NULL implementation of TpmPlatformHierarchyLib SecurityPkg: Introduce new PCD PcdRandomizePlatformHierarchy OvmfPkg: Reference new TPM classes in the build system for compilation OvmfPkg: Disable the TPM2 platform hierarchy ArmVirtPkg: Reference new TPM classes in the build system for compilation ArmVirtPkg: Disable the TPM2 platform hierarchy ArmVirtPkg/ArmVirtCloudHv.dsc | 1 + ArmVirtPkg/ArmVirtQemu.dsc | 3 + ArmVirtPkg/ArmVirtQemuKernel.dsc | 1 + ArmVirtPkg/ArmVirtXen.dsc | 1 + .../PlatformBootManagerLib/PlatformBm.c | 6 + .../PlatformBootManagerLib.inf | 2 + OvmfPkg/AmdSev/AmdSevX64.dsc | 3 + OvmfPkg/Bhyve/BhyveX64.dsc | 1 + .../PlatformBootManagerLib/BdsPlatform.c | 6 + .../PlatformBootManagerLib.inf | 1 + .../PlatformBootManagerLibBhyve/BdsPlatform.c | 7 + .../PlatformBootManagerLibGrub/BdsPlatform.c | 7 + OvmfPkg/OvmfPkgIa32.dsc | 3 + OvmfPkg/OvmfPkgIa32X64.dsc | 3 + OvmfPkg/OvmfPkgX64.dsc | 3 + OvmfPkg/OvmfXen.dsc | 1 + .../Include/Library/TpmPlatformHierarchyLib.h | 27 ++ .../PeiDxeTpmPlatformHierarchyLib.c | 255 ++++++++++++++++++ .../PeiDxeTpmPlatformHierarchyLib.inf | 44 +++ .../PeiDxeTpmPlatformHierarchyLib.c | 19 ++ .../PeiDxeTpmPlatformHierarchyLib.inf | 31 +++ SecurityPkg/SecurityPkg.dec | 6 + 22 files changed, 431 insertions(+) create mode 100644 SecurityPkg/Include/Library/TpmPlatformHierarchyLib.h create mode 100644 SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.c create mode 100644 SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLib/PeiDxeTpmPlatformHierarchyLib.inf create mode 100644 SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.c create mode 100644 SecurityPkg/Library/PeiDxeTpmPlatformHierarchyLibNull/PeiDxeTpmPlatformHierarchyLib.inf -- 2.31.1 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#80115): https://edk2.groups.io/g/devel/message/80115 Mute This Topic: https://groups.io/mt/85316773/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
